- The pace of updates to the National Vulnerability Database (NVD) has significantly slowed.
- The effectiveness of scan-only (no remediation) vulnerability management solutions has dramatically declined, leaving systems exposed to undetected vulnerabilities.
- Third-party patch management solutions emerge as critical for identifying, prioritizing, and mitigating vulnerabilities amidst these challenges.
A lot has been going on in the world of cybersecurity over the last few years. We have repetitively seen record-breaking waves of newly discovered software vulnerabilities, making patching and vulnerability remediation more important than it has ever been. The need for accurate and efficient patching that just works is why Action1 was created, why it is trusted by thousands of networks, and why over 10 million endpoints trust Action1 to keep them safe every day. Recently there has been news circulating in the security world that sounds a bit frightening, and we just want to make sure you know that through all this, Action1 is still your go-to tool for staying secure.
So, let’s dive further into what is going on…
What are NVD, CVE, and CPE?
The traditional approach to vulnerability management is to prioritize everything you can reasonably patch, and for those without a patch, you can still track, potentially mitigate, and at the very least document. Keeping track of all that vulnerability information, to have reliable reference resources, has centered around the National Vulnerability Database (NVD), a project maintained by the National Institute for Standards and Technology (NIST), a US Government organization. This large repository of information became the cornerstone of modern vulnerability management. Every major company and security researcher reported all their vulnerability information there, for analysis, confirmation, indexing, and spreading the information to the millions of people that depend on rapid, accurate data to keep their systems secure. As a result, everyone in the identification, classification, and threat-hunting industry relies on this data to keep their customer base up to the minute secure.
The data comes in the form of Common Vulnerabilities and Exposures reports (CVE) and further subsets of data that reference the CVE known as Common Platform Enumeration (CPE) data. The CVE contains information about the nature of the vulnerability, the complexities involved in exploiting it, the extent to which successful exploitation could be leveraged for system compromise, and all that factors into a score that indicates how much of a threat CVE represents. The CPE data then further contains details pertaining to all systems known to be affected by the CVE, their versions, builds, and other data to positively identify systems requiring patch or mitigation. The CPE data is very resource-intensive to research and must be maintained as new versions of applications are confirmed to be vulnerable. As a result, a CVE could potentially have thousands of CPEs associated with it.
The Bad News
Then… Recently, security researchers started noticing that the CPE information was becoming sparse or was simply missing from some CVEs. A somewhat ominous message appeared on the NVD website: “NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.”
There has been a lot of speculation in the cybersecurity community about what this consortium will be, how it will be formed, who will be included, and what the result will look like when all the dust settles. Cybersecurity experts like Eric Chin from Anchore and Dan Lorenc from Chainguard have been among the first to sound the alarm. The best of what we know thus far is that the NVD program manager, Tanya Brewer, said recently at a conference, that the NVD will be put into the hands of a group of vetted organizations, potentially as early as April of ‘24. However, we have not gotten any information on what the final product will look like. As of the time of this writing, over 4000 CVEs do not have associated analysis data – and it’s only getting worse by the day!
Most recently, NIST posted an update: “There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support. Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well. We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.”
Since almost all security products consume this information at some level, the potential impact on the vulnerability management ecosystem could be devastating. Since the NVD slowed down adding CPEs to CVEs, most scan-only (no remediation) solutions are now ineffective. You can no longer tell if a certain app is vulnerable because there is no association between CVE numbers and app name/version pairs. Even one of the “BIG THREE” vulnerability management vendors, Qualys, acknowledges this to be an issue, meaning that even the largest vulnerability management vendor databases are likely nowhere near the depth and breadth of the NVD. The rest of the vuln scanning solutions are likely faring even worse.
The Good News
But here is the good news. When a vulnerability is found in any mainstream application, it drives code patches and new builds by the respective vendor (e.g., Google would release an update for Google Chrome). This makes a third-party patching solution like Action1 the only practical way to stay on top of vulnerabilities because such solutions still detect outdated apps (along with some CVE info) and provide remediation capabilities. Action1’s in-house security team monitors for new versions of all supported software, adds them to Action1’s privately maintained Software Repository along with the CVE information, effectively creating the CVE-to-CPE associations (without relying on the NVD), and delivers security updates from the software vendors themselves. Yes, this will not cover any new vulnerabilities that do not have patches yet, but it is so much better than not having any visibility into exploitable vulnerabilities.
You can rest assured as this transition occurs with the NVD, Action1 will be following it closely, and wherever it leads, we will adapt to continue to detect vulnerabilities that do not have released patches yet.
————–
What do you think about these recent developments? Let’s discuss this on the Action1 subreddit or Action1 Discord.